Legal claims defining the scope of protection, as filed with the USPTO.
1. A secured network configured to carry data, comprising a plurality of network bubbles and a plurality of network control points, wherein each said network bubble comprises one or more bubble partitions and each said bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy, wherein at least one network control point is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.
2. A secured network as claimed in claim 1 wherein at least one of the network control point devices is arranged to apply the network security policy of the at least one network bubble to incoming packets based on a value of the label within said incoming packets.
3. A secured network as claimed in claim 1 , wherein the at least one network control point includes one or more network control point devices having at least one interface, wherein the label to be applied to a packet is determined according to which interface of the network control point device a outgoing packet is received from.
4. A secured network as claimed in claim 3 , wherein the network control point device is a router.
5. A secured network as claimed in claim 1 , wherein the plurality of network control points are coupled to one another via a trusted backbone that is trusted not to permit modification of the labels applied to packets in transit.
6. A secured network as claimed in claim 1 wherein each said bubble has a corresponding label value.
7. A secured network as claimed in claim 1 wherein a label value is reserved for packets from unknown or untrusted sources.
8. A secured network as claimed in claim 1 wherein the marking is applied to a ToS byte of an IPV4 packet.
9. A secured network as claimed in claim 1 wherein the marking is applied to delay, throughput, reliability and cost bits of a ToS byte of an IPV4 packet.
10. A secured network as claimed in claim 1 wherein the marking is applied to the flow label of an IPV6 packet.
11. A secured network as claimed in claim 1 wherein the network control point is arranged to enforce source address integrity.
12. A method of operating a plurality of network control points to secure a network having a plurality of bubbles where each said bubble has a plurality of bubble partitions and a plurality of network control points configured to connect the plurality of bubble partitions, the method comprising: marking outgoing packets with a label corresponding to the network bubble from which the packets originate; and applying a security policy for incoming packets based on a value of the label in the incoming packets.
13. A method as claimed in claim 12 , wherein network control point includes one or more network control point devices having at least one interface, wherein the label to be applied to a packet is determined according to which interface of the network control point device a outgoing packet is received from.
14. A method as claimed in claim 12 wherein the network control point device is an router.
15. A method as claimed in claim 12 , comprising trusting a backbone interconnecting the network control points not to permit modification of the labels applied to packets in transit.
16. A method as claimed in claim 12 comprising assigning a label value to each said bubble.
17. A method as claimed in claim 12 comprising reserving a label value for packets from unknown or untrusted sources.
18. A method as claimed in claim 12 wherein the marking is applied to a ToS byte of an IPV4 packet.
19. A method as claimed in claim 12 wherein the marking is applied to delay, throughput, reliability and cost bits of a ToS byte of an IPV4 packet.
20. A method as claimed in claim 12 wherein the marking is applied to the flow label of an IPV6 packet.
21. A network configured to carry data, comprising a plurality of network bubbles and a plurality of network control points coupled to one another via a backbone that is trusted not to permit modification of the packets in transit, wherein each said network bubble comprises one or more bubble partitions and each said bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy, wherein each said bubble has a corresponding label value and at least one network control point is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble and wherein at least another of the network control point devices is arranged to apply the network security policy of the at least one network bubble to incoming packets based on a value of the label within incoming packets.
22. A network as claimed in claim 21 , wherein the at least one network control point includes one or more network control point devices having at least one interface, wherein the label to be applied to a packet is determined according to which interface of the network control point device a outgoing packet is received from.
23. A network as claimed in claim 22 , wherein the network control point device is a router.
24. A network as claimed in claim 23 wherein a label value is reserved for packets from unknown or untrusted sources.
25. A network as claimed in claim 23 wherein the marking is applied to a ToS byte of an IPV4 packet.
26. A network as claimed in claim 23 wherein the marking is applied to delay, throughput, reliability and cost bits of a ToS byte of an IPV4 packet.
27. A network as claimed in claim 21 wherein the marking is applied to the flow label of an IPV6 packet.
28. A network control point device for use in secured network configured to carry data, the network comprising a plurality of network bubbles and a plurality of network control points, the network control point device comprising a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the network bubbles and a marking table linking a label to each said bubble.
29. A network control point device as claimed in claim 28 arranged to apply the network security policy of at least one network bubble to incoming packets based on a value of the label within said incoming packets.
30. A network control point device as claimed in claim 28 , wherein the label to be applied to a packet is determined according to which interface of the network control point device a outgoing packet is received from.
31. A network control point device as claimed in claim 28 wherein the network control point device is a router.
32. A network control point device as claimed in claim 28 wherein the marking is applied to a ToS byte of an IPV4 packet.
33. A network control point device as claimed in claim 28 wherein the marking is applied to delay, throughput, reliability and cost bits of a ToS byte of an IPV4 packet.
34. A network control point device as claimed in claim 28 wherein the marking is applied to the flow label of an IPV6 packet.
35. A network control point device as claimed in claim 28 arranged to enforce source address integrity.
Unknown
November 5, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.